From d0a9a9b7c389e352db4be8f99348e4272b2fdfa2 Mon Sep 17 00:00:00 2001 From: Zaku <127139771+Zakurama@users.noreply.github.com> Date: Fri, 15 Nov 2024 21:43:42 +0100 Subject: [PATCH 1/5] feat: add role for vault agent Co-authored-by: Thomas Gaudin --- roles/vault_agent/files/retrieving_cert.tmpl | 10 +++ .../files/vault-agent-certificates.service | 12 +++ roles/vault_agent/handlers/main.yml | 4 + roles/vault_agent/tasks/main.yml | 86 +++++++++++++++++++ .../vault_agent/templates/agent-config.hcl.j2 | 39 +++++++++ roles/vault_agent/templates/content.j2 | 1 + 6 files changed, 152 insertions(+) create mode 100644 roles/vault_agent/files/retrieving_cert.tmpl create mode 100644 roles/vault_agent/files/vault-agent-certificates.service create mode 100644 roles/vault_agent/handlers/main.yml create mode 100644 roles/vault_agent/tasks/main.yml create mode 100644 roles/vault_agent/templates/agent-config.hcl.j2 create mode 100644 roles/vault_agent/templates/content.j2 diff --git a/roles/vault_agent/files/retrieving_cert.tmpl b/roles/vault_agent/files/retrieving_cert.tmpl new file mode 100644 index 0000000..8be1415 --- /dev/null +++ b/roles/vault_agent/files/retrieving_cert.tmpl @@ -0,0 +1,10 @@ +{{with secret "secret/certificat-web"}} +{{ index .Data.data "privkey.pem" | writeToFile "privkey.pem" "" "" "0400"}} +{{ index .Data.data "chain.pem" | writeToFile "chain.pem" "" "" "0400"}} +{{ index .Data.data "cert.pem" | writeToFile "cert.pem" "" "" "0400"}} +{{ index .Data.data "fullchain.pem" | writeToFile "fullchain.pem" "" "" "0400"}} +{{ index .Data.data "privkey.pem"}} +{{ index .Data.data "chain.pem"}} +{{ index .Data.data "cert.pem"}} +{{ index .Data.data "fullchain.pem"}} +{{end}} \ No newline at end of file diff --git a/roles/vault_agent/files/vault-agent-certificates.service b/roles/vault_agent/files/vault-agent-certificates.service new file mode 100644 index 0000000..07a9c95 --- /dev/null +++ b/roles/vault_agent/files/vault-agent-certificates.service @@ -0,0 +1,12 @@ +[Unit] +Description=Vault Agent - retrieve Let's Encrypt certificates from Vault +After=network.target + +[Service] +Type=notify +WorkingDirectory=/root/vault_agent_certificat +ExecStart=/usr/bin/vault agent -config=agent-config.hcl +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/vault_agent/handlers/main.yml b/roles/vault_agent/handlers/main.yml new file mode 100644 index 0000000..ab01058 --- /dev/null +++ b/roles/vault_agent/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Restart vault-agent-certificates + ansible.builtin.systemd: + name: vault-agent-certificates + state: restarted diff --git a/roles/vault_agent/tasks/main.yml b/roles/vault_agent/tasks/main.yml new file mode 100644 index 0000000..35f65f8 --- /dev/null +++ b/roles/vault_agent/tasks/main.yml @@ -0,0 +1,86 @@ +- name: Download Vault Hashicorp gpg key + ansible.builtin.get_url: + url: https://apt.releases.hashicorp.com/gpg + dest: /usr/share/keyrings/hashicorp-archive-keyring.asc + mode: "0644" + owner: root + checksum: sha256:cafb01beac341bf2a9ba89793e6dd2468110291adfbb6c62ed11a0cde6c09029 + +- name: Add Vault repository + ansible.builtin.apt_repository: + repo: "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.asc] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main" + state: present + +- name: Intall Vault + ansible.builtin.apt: + update_cache: true + name: + - vault + +- name: Retrieve role_id and secret_id from Vault + community.hashi_vault.vault_kv2_get: + path: certificat-web-id + register: certificat_secrets + run_once: true + delegate_to: localhost + become: false + +- name: Create vault agent workdir + ansible.builtin.file: + path: /root/vault_agent_certificat + state: directory + mode: '0755' + owner: root + group: root + +- name: Create role_id file + vars: + content: "{{ certificat_secrets.secret.role_id }}" + ansible.builtin.template: + src: content.j2 + dest: /root/vault_agent_certificat/role_id + mode: '0600' + owner: root + group: root + +- name: Create secret_id file + vars: + content: "{{ certificat_secrets.secret.secret_id }}" + ansible.builtin.template: + src: content.j2 + dest: /root/vault_agent_certificat/secret_id + mode: '0600' + owner: root + group: root + +- name: Copy agent-config.hcl + ansible.builtin.template: + src: agent-config.hcl.j2 + dest: /root/vault_agent_certificat/agent-config.hcl + mode: '0644' + owner: root + group: root + notify: Restart vault-agent-certificates + +- name: Copy retrieving_cert.tmpl + ansible.builtin.copy: + src: retrieving_cert.tmpl + dest: /root/vault_agent_certificat/retrieving_cert.tmpl + mode: '0644' + owner: root + group: root + +- name: Copy vault-agent-certificates.service + ansible.builtin.copy: + src: vault-agent-certificates.service + dest: /etc/systemd/system/vault-agent-certificates.service + mode: '0644' + owner: root + group: root + +- name: Start vault-agent-certificates service + ansible.builtin.systemd: + name: vault-agent-certificates + state: started + enabled: true + daemon_reload: true diff --git a/roles/vault_agent/templates/agent-config.hcl.j2 b/roles/vault_agent/templates/agent-config.hcl.j2 new file mode 100644 index 0000000..9efcb96 --- /dev/null +++ b/roles/vault_agent/templates/agent-config.hcl.j2 @@ -0,0 +1,39 @@ +vault { + address = "https://vault.rezoleo.fr" + retry { + num_retries = 5 + } +} + +auto_auth { + method { + type = "approle" + + config = { + // create a role in vault with a policy able to "read" the secret + role_id_file_path = "role_id" // to change based on the path of the role_id file + secret_id_file_path = "secret_id" // to change based on the path of the secret_id file + remove_secret_id_file_after_reading = false + } + } + + sinks { + sink { + type = "file" + + config = { + path = "sink-token" + } + } + } +} + +template { + source = "retrieving_cert.tmpl" + destination = "/etc/nginx/certificates/template_output" // to change based on the path of the nginx certificates + perms = "0600" + + exec { + command = {{vault_agent_command | tojson}} + } +} \ No newline at end of file diff --git a/roles/vault_agent/templates/content.j2 b/roles/vault_agent/templates/content.j2 new file mode 100644 index 0000000..59245f0 --- /dev/null +++ b/roles/vault_agent/templates/content.j2 @@ -0,0 +1 @@ +{{content}} \ No newline at end of file From 03641fbd66fe1475011ee0d7d99fee5c6da16c7c Mon Sep 17 00:00:00 2001 From: Zaku <127139771+Zakurama@users.noreply.github.com> Date: Mon, 18 Nov 2024 20:00:58 +0100 Subject: [PATCH 2/5] feat: copying certificates to target directory --- roles/vault_agent/files/retrieving_cert.tmpl | 10 ---------- roles/vault_agent/tasks/main.yml | 13 +++++++++++-- roles/vault_agent/templates/retrieving_cert.tmpl.j2 | 10 ++++++++++ 3 files changed, 21 insertions(+), 12 deletions(-) delete mode 100644 roles/vault_agent/files/retrieving_cert.tmpl create mode 100644 roles/vault_agent/templates/retrieving_cert.tmpl.j2 diff --git a/roles/vault_agent/files/retrieving_cert.tmpl b/roles/vault_agent/files/retrieving_cert.tmpl deleted file mode 100644 index 8be1415..0000000 --- a/roles/vault_agent/files/retrieving_cert.tmpl +++ /dev/null @@ -1,10 +0,0 @@ -{{with secret "secret/certificat-web"}} -{{ index .Data.data "privkey.pem" | writeToFile "privkey.pem" "" "" "0400"}} -{{ index .Data.data "chain.pem" | writeToFile "chain.pem" "" "" "0400"}} -{{ index .Data.data "cert.pem" | writeToFile "cert.pem" "" "" "0400"}} -{{ index .Data.data "fullchain.pem" | writeToFile "fullchain.pem" "" "" "0400"}} -{{ index .Data.data "privkey.pem"}} -{{ index .Data.data "chain.pem"}} -{{ index .Data.data "cert.pem"}} -{{ index .Data.data "fullchain.pem"}} -{{end}} \ No newline at end of file diff --git a/roles/vault_agent/tasks/main.yml b/roles/vault_agent/tasks/main.yml index 35f65f8..5d7311f 100644 --- a/roles/vault_agent/tasks/main.yml +++ b/roles/vault_agent/tasks/main.yml @@ -63,12 +63,13 @@ notify: Restart vault-agent-certificates - name: Copy retrieving_cert.tmpl - ansible.builtin.copy: - src: retrieving_cert.tmpl + ansible.builtin.template: + src: retrieving_cert.tmpl.j2 dest: /root/vault_agent_certificat/retrieving_cert.tmpl mode: '0644' owner: root group: root + notify: Restart vault-agent-certificates - name: Copy vault-agent-certificates.service ansible.builtin.copy: @@ -78,6 +79,14 @@ owner: root group: root +- name: Create directory for certificates + ansible.builtin.file: + state: directory + dest: "{{ vault_agent_certificate_directory }}" + mode: '0755' + owner: root + group: root + - name: Start vault-agent-certificates service ansible.builtin.systemd: name: vault-agent-certificates diff --git a/roles/vault_agent/templates/retrieving_cert.tmpl.j2 b/roles/vault_agent/templates/retrieving_cert.tmpl.j2 new file mode 100644 index 0000000..548265a --- /dev/null +++ b/roles/vault_agent/templates/retrieving_cert.tmpl.j2 @@ -0,0 +1,10 @@ +{{ '{{' }}with secret "secret/certificat-web"{{ '}}' }} +{{ '{{' }} index .Data.data "privkey.pem" | writeToFile "{{vault_agent_certificate_directory}}/privkey.pem" "" "" "0400"{{ '}}' }} +{{ '{{' }} index .Data.data "chain.pem" | writeToFile "{{vault_agent_certificate_directory}}/chain.pem" "" "" "0400"{{ '}}' }} +{{ '{{' }} index .Data.data "cert.pem" | writeToFile "{{vault_agent_certificate_directory}}/cert.pem" "" "" "0400"{{ '}}' }} +{{ '{{' }} index .Data.data "fullchain.pem" | writeToFile "{{vault_agent_certificate_directory}}/fullchain.pem" "" "" "0400"{{ '}}' }} +{{ '{{' }} index .Data.data "privkey.pem"{{ '}}' }} +{{ '{{' }} index .Data.data "chain.pem"{{ '}}' }} +{{ '{{' }} index .Data.data "cert.pem"{{ '}}' }} +{{ '{{' }} index .Data.data "fullchain.pem"{{ '}}' }} +{{ '{{' }}end{{ '}}' }} From d39ed1b7278311e80f0f82ff28fec4ec6dc45ad2 Mon Sep 17 00:00:00 2001 From: Zaku <127139771+Zakurama@users.noreply.github.com> Date: Sun, 24 Nov 2024 12:56:47 +0100 Subject: [PATCH 3/5] style: fix PR remarks Changign variables string in templates Clearer variable name and comments for reload command --- roles/vault_agent/tasks/main.yml | 2 ++ .../vault_agent/templates/agent-config.hcl.j2 | 5 +++-- .../templates/retrieving_cert.tmpl.j2 | 20 +++++++++---------- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/roles/vault_agent/tasks/main.yml b/roles/vault_agent/tasks/main.yml index 5d7311f..9fb4158 100644 --- a/roles/vault_agent/tasks/main.yml +++ b/roles/vault_agent/tasks/main.yml @@ -69,6 +69,8 @@ mode: '0644' owner: root group: root + variable_start_string: '<<' + variable_end_string: '>>' notify: Restart vault-agent-certificates - name: Copy vault-agent-certificates.service diff --git a/roles/vault_agent/templates/agent-config.hcl.j2 b/roles/vault_agent/templates/agent-config.hcl.j2 index 9efcb96..83962d5 100644 --- a/roles/vault_agent/templates/agent-config.hcl.j2 +++ b/roles/vault_agent/templates/agent-config.hcl.j2 @@ -34,6 +34,7 @@ template { perms = "0600" exec { - command = {{vault_agent_command | tojson}} + command = {{service_reload_command | tojson}} {# to reload the service after retrieving the certificate #} + } -} \ No newline at end of file +} diff --git a/roles/vault_agent/templates/retrieving_cert.tmpl.j2 b/roles/vault_agent/templates/retrieving_cert.tmpl.j2 index 548265a..a2815de 100644 --- a/roles/vault_agent/templates/retrieving_cert.tmpl.j2 +++ b/roles/vault_agent/templates/retrieving_cert.tmpl.j2 @@ -1,10 +1,10 @@ -{{ '{{' }}with secret "secret/certificat-web"{{ '}}' }} -{{ '{{' }} index .Data.data "privkey.pem" | writeToFile "{{vault_agent_certificate_directory}}/privkey.pem" "" "" "0400"{{ '}}' }} -{{ '{{' }} index .Data.data "chain.pem" | writeToFile "{{vault_agent_certificate_directory}}/chain.pem" "" "" "0400"{{ '}}' }} -{{ '{{' }} index .Data.data "cert.pem" | writeToFile "{{vault_agent_certificate_directory}}/cert.pem" "" "" "0400"{{ '}}' }} -{{ '{{' }} index .Data.data "fullchain.pem" | writeToFile "{{vault_agent_certificate_directory}}/fullchain.pem" "" "" "0400"{{ '}}' }} -{{ '{{' }} index .Data.data "privkey.pem"{{ '}}' }} -{{ '{{' }} index .Data.data "chain.pem"{{ '}}' }} -{{ '{{' }} index .Data.data "cert.pem"{{ '}}' }} -{{ '{{' }} index .Data.data "fullchain.pem"{{ '}}' }} -{{ '{{' }}end{{ '}}' }} +{{with secret "secret/certificat-web"}} +{{ index .Data.data "privkey.pem" | writeToFile "<>/privkey.pem" "" "" "0400" }} +{{ index .Data.data "chain.pem" | writeToFile "<>/chain.pem" "" "" "0400" }} +{{ index .Data.data "cert.pem" | writeToFile "<>/cert.pem" "" "" "0400" }} +{{ index .Data.data "fullchain.pem" | writeToFile "<>/fullchain.pem" "" "" "0400" }} +{{ index .Data.data "privkey.pem" }} +{{ index .Data.data "chain.pem" }} +{{ index .Data.data "cert.pem" }} +{{ index .Data.data "fullchain.pem" }} +{{end}} From d97e7366f9a11a7416477d74b6e2c44808055f51 Mon Sep 17 00:00:00 2001 From: Zaku <127139771+Zakurama@users.noreply.github.com> Date: Sun, 24 Nov 2024 13:02:03 +0100 Subject: [PATCH 4/5] fix: write template output to correct directory --- roles/vault_agent/templates/agent-config.hcl.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vault_agent/templates/agent-config.hcl.j2 b/roles/vault_agent/templates/agent-config.hcl.j2 index 83962d5..7cd9dd1 100644 --- a/roles/vault_agent/templates/agent-config.hcl.j2 +++ b/roles/vault_agent/templates/agent-config.hcl.j2 @@ -30,7 +30,7 @@ auto_auth { template { source = "retrieving_cert.tmpl" - destination = "/etc/nginx/certificates/template_output" // to change based on the path of the nginx certificates + destination = "{{ vault_agent_certificate_directory }}/template_output" perms = "0600" exec { From 0b2102bc625cdcb4e0a61082b048253905125162 Mon Sep 17 00:00:00 2001 From: Zaku <127139771+Zakurama@users.noreply.github.com> Date: Tue, 26 Nov 2024 09:34:46 +0100 Subject: [PATCH 5/5] fix: fix PR remarks Pinned Vault package Created working directory default variable --- roles/vault_agent/defaults/main.yml | 3 +++ roles/vault_agent/tasks/main.yml | 22 +++++++++++++------ .../vault_agent/templates/agent-config.hcl.j2 | 4 ++-- .../vault-agent-certificates.service.j2} | 2 +- roles/vault_agent/templates/vault.pref.j2 | 4 ++++ 5 files changed, 25 insertions(+), 10 deletions(-) create mode 100644 roles/vault_agent/defaults/main.yml rename roles/vault_agent/{files/vault-agent-certificates.service => templates/vault-agent-certificates.service.j2} (81%) create mode 100644 roles/vault_agent/templates/vault.pref.j2 diff --git a/roles/vault_agent/defaults/main.yml b/roles/vault_agent/defaults/main.yml new file mode 100644 index 0000000..372ef11 --- /dev/null +++ b/roles/vault_agent/defaults/main.yml @@ -0,0 +1,3 @@ +vault_agent_working_directory: /root/vault_agent_certificates + +vault_agent_vault_version: 1.18.2 diff --git a/roles/vault_agent/tasks/main.yml b/roles/vault_agent/tasks/main.yml index 9fb4158..d5eb9d3 100644 --- a/roles/vault_agent/tasks/main.yml +++ b/roles/vault_agent/tasks/main.yml @@ -6,6 +6,14 @@ owner: root checksum: sha256:cafb01beac341bf2a9ba89793e6dd2468110291adfbb6c62ed11a0cde6c09029 +- name: Pin Vault package + ansible.builtin.template: + src: vault.pref.j2 + dest: /etc/apt/preferences.d/vault.pref + mode: '0644' + owner: root + group: root + - name: Add Vault repository ansible.builtin.apt_repository: repo: "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.asc] https://apt.releases.hashicorp.com {{ ansible_distribution_release }} main" @@ -27,7 +35,7 @@ - name: Create vault agent workdir ansible.builtin.file: - path: /root/vault_agent_certificat + path: "{{ vault_agent_working_directory }}" state: directory mode: '0755' owner: root @@ -38,7 +46,7 @@ content: "{{ certificat_secrets.secret.role_id }}" ansible.builtin.template: src: content.j2 - dest: /root/vault_agent_certificat/role_id + dest: "{{ vault_agent_working_directory }}/role_id" mode: '0600' owner: root group: root @@ -48,7 +56,7 @@ content: "{{ certificat_secrets.secret.secret_id }}" ansible.builtin.template: src: content.j2 - dest: /root/vault_agent_certificat/secret_id + dest: "{{ vault_agent_working_directory }}/secret_id" mode: '0600' owner: root group: root @@ -56,7 +64,7 @@ - name: Copy agent-config.hcl ansible.builtin.template: src: agent-config.hcl.j2 - dest: /root/vault_agent_certificat/agent-config.hcl + dest: "{{ vault_agent_working_directory }}/agent-config.hcl" mode: '0644' owner: root group: root @@ -65,7 +73,7 @@ - name: Copy retrieving_cert.tmpl ansible.builtin.template: src: retrieving_cert.tmpl.j2 - dest: /root/vault_agent_certificat/retrieving_cert.tmpl + dest: "{{ vault_agent_working_directory }}/retrieving_cert.tmpl" mode: '0644' owner: root group: root @@ -74,8 +82,8 @@ notify: Restart vault-agent-certificates - name: Copy vault-agent-certificates.service - ansible.builtin.copy: - src: vault-agent-certificates.service + ansible.builtin.template: + src: vault-agent-certificates.service.j2 dest: /etc/systemd/system/vault-agent-certificates.service mode: '0644' owner: root diff --git a/roles/vault_agent/templates/agent-config.hcl.j2 b/roles/vault_agent/templates/agent-config.hcl.j2 index 7cd9dd1..1842b50 100644 --- a/roles/vault_agent/templates/agent-config.hcl.j2 +++ b/roles/vault_agent/templates/agent-config.hcl.j2 @@ -34,7 +34,7 @@ template { perms = "0600" exec { - command = {{service_reload_command | tojson}} {# to reload the service after retrieving the certificate #} - + // command used to to reload the service after retrieving the certificate, in the form of ["binary", "arg1", "arg2", ...] + command = {{ vault_agent_service_reload_command | tojson }} } } diff --git a/roles/vault_agent/files/vault-agent-certificates.service b/roles/vault_agent/templates/vault-agent-certificates.service.j2 similarity index 81% rename from roles/vault_agent/files/vault-agent-certificates.service rename to roles/vault_agent/templates/vault-agent-certificates.service.j2 index 07a9c95..9c66032 100644 --- a/roles/vault_agent/files/vault-agent-certificates.service +++ b/roles/vault_agent/templates/vault-agent-certificates.service.j2 @@ -4,7 +4,7 @@ After=network.target [Service] Type=notify -WorkingDirectory=/root/vault_agent_certificat +WorkingDirectory={{ vault_agent_working_directory }} ExecStart=/usr/bin/vault agent -config=agent-config.hcl Restart=always diff --git a/roles/vault_agent/templates/vault.pref.j2 b/roles/vault_agent/templates/vault.pref.j2 new file mode 100644 index 0000000..bcb7f08 --- /dev/null +++ b/roles/vault_agent/templates/vault.pref.j2 @@ -0,0 +1,4 @@ +Explanation: Ansible - Vault pinning +Package: vault +Pin: version {{ vault_agent_vault_version }}-* +Pin-Priority: 1000